Schedule

Magnet User Summit 2019 gives you a chance to learn practical and useful information that can help you in your investigations.

We’re bringing in outside experts to deliver lectures that will give you a view of the exciting trends and best practices in the digital forensics industry as a whole.

And with our hands-on labs, you’ll get an in-depth look at Magnet Forensics products directly from our experts. You’ll have a chance to use Magnet AXIOM on sample case files to learn how you can maximize its use in your investigations.

Full Schedule

April 1

5:00PM - 7:00PM

April 2

7:30AM - 9:00AM

REGISTRATION AND BREAKFAST

8:30AM - 9:30AM

Lecture

Virtual Currency Investigations: Fear Not the Blockchains

Eric Huber, Vice President, National White Collar Crime Center (NW3C)

New to blockchain technology? In this presentation, learn basic concepts, such as what a blockchain/distributed ledger is, how mining and transactions work, and get a quick overview of PKI signing and it's role on cryptocurrencies. You’ll also learn more about various types of wallets — ranging from paper wallets to the various new blockchain phones from HTC and SIRIN LABS. Additionally, you’ll learn more about digital currency exchanges, ATMs, LibertyX, localbitcoins.com, and more — and find out how crypto connects to traditional payment rails. Popular cryptocurrencies, such as Bitcoin, various altcoins, privacy coins, stable coins, and more will explored along with an Ethereum section where Ethereum, NEO, EOS, and the creation of an ecosystem for smart contracts and distributed APPS AKA Internet 2.0 will be explained. Cryptokitties will be used as a tool to show how DAPPS work because, it's the internet after all, and you have to have cats involved. DAPP radar and other DAPPS that are trying to break into the market will also be discussed. Additionally, you’ll learn about different types of cryptocrime — from physical crime (pointing a gun at someone and getting their private keys) to more traditional type cryptocrime like ransomware, cryptojacking, fraudulent ICOs, etc. An investigative section will explain the four major areas of cryptocurrency investigation: digital forensics, blockchain exploring, open source investigation and Traditional Financial Investigation methods. You’ll learn how you can parse public blockchain data using freely available tools, learn more about SaaS tools such as Chainalysis and CipherTrace, and understand FinCEN, the Banking Secrecy Act, and Suspicious Activity Reporting. Finally, you’ll see how you can plug into the cryptoworld with resources such as Twitter, coinmarketcap.com, coincenter, podcasts, and more, to start connecting with the wild world of crypto discussion, debate, and education.

The Internet of Things (IoT) is an amazing, rich data source for both civil and criminal investigations. Do you consider the IoT an independent eyewitness in an investigation? You should. This presentation will explore how to properly gather and analyze IoT evidence. Attendees will leave this session understanding investigative possibilities/capabilities with some of the most common and newest IoT devices on the market. Can you associate IoT data to specific people? Can you confirm or refute a victim or suspect’s story with just IoT data? Where is the IoT evidence? Once you know where it is, how can you access the evidence? Which tools parse the evidence? In closing, a never-before seen IoT digital forensic artifact wiki will be released that will help the global effort to investigate the IoT.

9:00AM-10:30AM

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes or even petabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims.

New to Magnet Forensics, or an IEF user who recently upgraded to AXIOM? Come to this lab to learn about AXIOM’s support for artifacts from multiple evidence sources, including cloud, smartphone memory and backups, and computer hard drives and memory. Walk through the different examination views, single and multi-artifact examinations, and how AXIOM leverages machine learning for faster examinations. We’ll discuss how Connections in AXIOM connects files and users along a path of evidence, and how to build stronger timelines. Finally, learn about AXIOM’s flexible reporting options for sharing your findings with your stakeholders.

Many of the new mobile applications that daily hit the App Store and Google Play contain features that can contain crucial evidence. Often, though, commercial forensic tools cannot keep pace with these apps or their consumer usage. This lab will describe how to acquire evidence from a wide range of smartphones including Samsung, LG, Qualcomm, and off-brand devices using MTK chips. We’ll review methods to discover and parse data from unsupported applications, including the chat, contact, location, and historical data that can be found using AXIOM’s Dynamic App Finder. Finally, we’ll discuss how to create custom artifacts to parse and carve data from the unsupported databases.

9:45AM-10:45AM

Lecture

Windows Event Trace Log (ETL) Forensics

Nicole Ibrahim, Digital Forensics Expert, G-C Partners, LLC

Event Tracing for Windows (ETW), introduced in Windows 2000, is a Windows subsystem typically used for performance and debugging analysis by the Windows OS and by application developers. ETLs (Event Trace Logs) are ETW sessions that are stored to disk. They can be found in numerous locations on a Windows system and have the extension ‘.etl’. They can contain internal and external drive information, nearby WiFi SSIDs and configuration, process and thread information, file and disk IO, system sleep session studies, identified malware, Boot and Shutdown information and much more. This talk will cover what ETL files are, where you can expect to find them, decoding ETL files, caveats associated with them, and some interesting artifacts and forensically relevant data that ETL files can provide.

In the ever-changing cyber security landscape, sharing information with peers and colleagues has never been more important than it is right now. You likely have seen and/or compiled indicators to find a wide range of digital footprints, from ransomware to nation-state to organized crime to those annoying toolbars. However, some organizations (especially governments) try to limit the amount of information that is shared with others in the cyber security industry. This presentation will walk through a real-world scenario, involving real bad actors and real net defenders, that underscores the importance of checking your ego, setting aside preconceptions, and sharing actionable (and unclassified) data within the cyber security community to help ensure the protection of everyone. Because the "bad guys" are freely sharing information, so why shouldn't the "good guys"?

10:30AM-11:30AM

Break

11:00AM-12:30PM

Lab

Using GrayKey and AXIOM to Acquire and Parse iOS Data that Other Tools Miss

Magnet Forensics Training Team

Learn about the game-changing GrayKey device and its ability to go beyond backup files to get at file system, process memory, and keychain data. Find out how these capabilities extend across the versions and sub-versions of iOS 10, 11, and 12, and learn how to use a GrayKey device to extract data. Additionally, learn how to use Magnet AXIOM to ingest and process the data, put it together with other data such as what’s available from iCloud, and extend your findings with exclusive-to-AXIOM capabilities such as the Dynamic App Finder, SQLite viewers, and Plist viewers.

Forensics in the Corporate Cloud: How to Conduct Office 365 and Google Suite Investigations

Magnet Forensics Training Team

As enterprises of all sizes continue to shift data into cloud-based content storage and collaboration platforms, the evidence of all kinds of threats both internal and external lives less on hard drives or smartphones, and more on cloud servers. In this lab, learn how to use AXIOM Cloud to recover forensically sound content, metadata, and audit logs using administrative credentials from Microsoft® Office® 365 and Google Suite services. In addition, learn how to use Connections in AXIOM to tie cloud artifacts to computers and smartphones to see the full picture, demonstrate intent, and construct robust timelines for a complete story.

Cloud Forensics for Law Enforcement: Get the Evidence You Need to Move Cases Forward

Magnet Forensics Training Team

Evidence stored in servers belonging to service providers like Facebook and Google can be crucial in a law enforcement investigation—and also among the hardest to acquire. Even when you can get a warrant to force a provider to return data, collecting the data into a normalized, easy-to-analyze format can be tricky. This lab will focus on Facebook’s warrant return support and Download Your Information features for both Facebook and Instagram. We’ll describe how to ingest data into AXIOM Cloud and use commercial innovations to save time during investigations. We’ll also discuss how to acquire photos from Twitter without requiring user credentials, and features such as Magnet.AI that can help you identify key pieces of evidence.

11:30AM-12:30PM

Digital forensic backlogs are growing at a pace which makes it difficult for labs and examiners to keep up. Traditional methods of acquisition and analysis can be time and resource intensive. Applying a triage methodology into the forensic workflow and conducting targeted analysis can drastically reduce the amount of time the examiner spends per case. By implementing memory forensics in the early stages of the analysis process, the examiner will be able to both quickly build a profile of the user and locate indicators or artifacts which may be on the file system. Memory forensics can be used to track user activity, identify external devices, build user timelines, conduct registry analysis, identify applications and files the user may have accessed, locate passwords, recover network artifacts and much more. Memory acquisition and analysis is extremely fast and efficient when done properly and when the examiner implements a targeted approach. This presentation will walk through numerous memory analysis techniques using Volatility, bulk extractor, page_brute, strings, YARA and hashcat, which can be implemented into the examiners existing workflow to speed up the process and reduce backlogs.

Improvise, Adapt, Overcome: A New Mantra for Digital Forensics Professionals

Cindy Murphy President, Forensics, Gillware

In the field of cybersecurity and digital forensics we follow an unwritten "rulebook"¬–a set of beliefs and ground truths we commonly hold to be true. Sometimes though, we find that what we thought was true simply isn’t. How do we reach a point of realizing our beloved “rules” are wrong? What do we do when we realize that what we held as a truth just isn’t true? Improvise, adapt, and overcome. Cybersecurity and digital forensics expert Cindy Murphy, M.Sc. will use this session to unpack some of the myths of digital forensics she has observed during her career. For example, when an SD card shows all zeros, is it actually empty? Or, are we really getting a full forensic image from this hard drive? From there, she will discuss how to navigate those myths and most importantly, how to keep moving forward in an ever-changing industry. Session attendees will walk away feeling empowered to ask questions and challenge the status quo in the digital forensics profession.

2:30PM-3:00PM

3:00PM-4:00PM

As more desktop apps transition to the Windows app store (aka Windows Store) there is a need to understand these apps which are written in UWP (Universal Windows Platform). These apps are distributed as APPX containers and follow a common theme regarding artifact locations. As of now, most forensic tools either do not report them at all or just provide a basic listing of installed apps. In this talk, we will outline the artifacts related to identifying installed apps, understanding various IDs (AppID, product_id, AUMID), versions, install/uninstall locations, timestamps, execution/usage artifacts and cache locations in registry and on disk for examination. We also analyze some popular apps and sideloading (installing an app outside the store).

"I'm a 19-year old college student...and I carry a badge." Technology is changing the nature of police investigations. Once considered rare in an investigation, items of digital evidence are now part of every case. From cell phones, to tablets, to computers, to social media accounts, digital evidence is engrained in our everyday lives and presents itself in multiple formats in every investigation. As such, police agencies throughout the world are struggling to keep up with the volume of digital evidence to be analyzed. In this talk, audience members will learn about an innovative partnership formed between the St. Joseph County, IN Cyber Crimes Unit and the University of Notre Dame to address this issue. Since beginning this partnership, even with an increase of 106% in cases, backlog has been reduced from 30 cases to zero cases and turnaround time for digital forensics has been reduced from 14 days to four hours.

3:00PM-4:30PM

Lab

Using GrayKey and AXIOM to Acquire and Parse iOS Data that Other Tools Miss

Magnet Forensics Training Team

Learn about the game-changing GrayKey device and its ability to go beyond backup files to get at file system, process memory, and keychain data. Find out how these capabilities extend across the versions and sub-versions of iOS 10, 11, and 12, and learn how to use a GrayKey device to extract data. Additionally, learn how to use Magnet AXIOM to ingest and process the data, put it together with other data such as what’s available from iCloud, and extend your findings with exclusive-to-AXIOM capabilities such as the Dynamic App Finder, SQLite viewers, and Plist viewers.

From Dead Box to Live Memory: Breathing Context into Forensic Investigations

Magnet Forensics Training Team

Traditionally the domain of experienced forensic examiners, memory analysis can provide access to evidence you can’t obtain through “dead-box” forensics alone. In many cases, memory analysis may be the only way to obtain evidence critical to solving your investigation. Using cybercrime and cybersecurity incident response case studies, this lab will discuss how AXIOM’s integration of core plugins from the popular tool, Volatility, makes deep memory analysis more accessible to forensic examiners. In addition, learn how to incorporate memory artifacts into a broader timeline together with artifacts from other data sources for a well-rounded investigation.

Many of the new mobile applications that daily hit the App Store and Google Play contain features that can contain crucial evidence. Often, though, commercial forensic tools cannot keep pace with these apps or their consumer usage. This lab will describe how to acquire evidence from a wide range of smartphones including Samsung, LG, Qualcomm, and off-brand devices using MTK chips. We’ll review methods to discover and parse data from unsupported applications, including the chat, contact, location, and historical data that can be found using AXIOM’s Dynamic App Finder. Finally, we’ll discuss how to create custom artifacts to parse and carve data from the unsupported databases.

4:15PM-5:15PM

Lecture

­Leveraging PowerShell and Python for Incident Response and Live Forensic Applications

Chet Hosmer, Author, Python Forensics

This lecture/demonstration brings together the Python Programming Language and Microsoft’s PowerShell to address digital investigations at a new level. PowerShell provides digital investigators with a rich set of cmdlets and deep access to the internals of the Windows Desktop, Cloud Services and now Linux and Mac. The Python development environment provides a rich scripting environment allowing for the rapid development of new tools, deep analysis, automation and correlation of evidence. Integrating the best of both technologies facilitates the creation of next-generation solutions for incident response, live forensic investigation, and e-Discovery. During this session, participants will: Learn the fundamentals of both Powershell and Python, experience the value of integrating PowerShell and Python, and learn how to apply these open source integrations to current challenges.

Mobile devices haven’t stopped evolving since they first showed up in consumers’ pockets. In this panel session, hear from mobile forensics experts as they discuss current trends among smartphone hardware and operating systems, apps, and data storage (hint: it’s not always on the device). Find out about the methodologies the experts use to address acquisition and analysis challenges such as encryption, user locks, unknown apps, and testing and validation. Finally, learn mobile forensics tips and tricks you can start to implement as soon as you get home.

4:45PM-7:45PM

This question-and-answer-style challenge will give you the chance to test your forensic skills and compete for the chance to win prizes!

7:00PM

Customer Appreciation Event

Join your colleagues and the Magnet Forensics team for a night of fun that you will not want to miss! Dinner and drinks will be provided.

April 3

9:00AM-10:00AM

BREAKFAST

10:00AM-11:15AM

Magnet Forensics Keynote

11:15AM-12:30PM

The Forensic Lunch Podcast

Lunch will be served during a live recording of The Forensic Lunch podcast with David Cowen and Matthew Seyer

12:30PM-1:30PM

Lecture

Leveraging AXIOM for Insider Threat Investigations

Kevin Murphy, Senior Insider Threat Analyst, American Express

Insider threat investigations require a broad set of tools to investigate potential threats. Endpoint security tools provide a great deal of value identifying user-based threats within an organization when hunt queries are tuned properly. In some cases, the results generated by endpoint security tools require additional endpoint triage to fully analyze user activity. This discussion will highlight how to utilize AXIOM to verify endpoint security alerts and uncover evidence that may not have been identified. One alert may be an indicator of nefarious intent that will lead to unknown evidence. Artifacts associated with this unknown evidence can provide value to tune the investigator’s hunt queries. Attendees will gain knowledge on how Magnet AXIOM can uncover unknown evidence and improve future endpoint security-based hunts.

Unsupported Apps. What Can Be Done? A Methodological Approach to Mobile App Forensics

Alexis Brignoni, Digital Forensics Examiner, Federal Law Enforcement

There are over four million mobile apps available between the two largest smartphone app stores. Our tools by themselves can only scratch the surface. What can be done? How can we best leverage our tools and grow our practice in order obtain as much as we can from our examinations?

In this presentation you will learn how to:

Identify data stores of interest.

Use structure query language to extract and interpret the data.

Manage JSON formatted data inside and outside of SQLite databases.

Retain and reuse acquired knowledge by the generation of custom artifacts in Magnet AXIOM.

Use apps as viewers and parsers of targeted data through the use of virtual environments.

Set up manual examination when extraction and parsing is not possible.

12:30PM-2:00PM

Pictures, videos, and chats can all be key pieces of evidence in building cases for possession, distribution, and/or production of child sexual abuse material (CSAM), solicitation of a minor, and related crimes. However, these data quantities can range well into terabytes or even petabytes as investigators evaluate the evidence across multiple cases. In this lab, learn how key features in Magnet AXIOM, including Magnet.AI, categorization, and Child Protection System integration, work together to save time, reduce exposure to harmful content, and focus case-building to apprehend predators and rescue child victims.

From Dead Box to Live Memory: Breathing Context into Forensic Investigations

Magnet Forensics Training Team

Traditionally the domain of experienced forensic examiners, memory analysis can provide access to evidence you can’t obtain through “dead-box” forensics alone. In many cases, memory analysis may be the only way to obtain evidence critical to solving your investigation. Using cybercrime and cybersecurity incident response case studies, this lab will discuss how AXIOM’s integration of core plugins from the popular tool, Volatility, makes deep memory analysis more accessible to forensic examiners. In addition, learn how to incorporate memory artifacts into a broader timeline together with artifacts from other data sources for a well-rounded investigation.

Cloud Forensics for Law Enforcement: Get the Evidence You Need to Move Cases Forward

Magnet Forensics Training Team

Evidence stored in servers belonging to service providers like Facebook and Google can be crucial in a law enforcement investigation—and also among the hardest to acquire. Even when you can get a warrant to force a provider to return data, collecting the data into a normalized, easy-to-analyze format can be tricky. This lab will focus on Facebook’s warrant return support and Download Your Information features for both Facebook and Instagram. We’ll describe how to ingest data into AXIOM Cloud and use commercial innovations to save time during investigations. We’ll also discuss how to acquire photos from Twitter without requiring user credentials, and features such as Magnet.AI that can help you identify key pieces of evidence.

1:45PM-2:45PM

Within both realms of investigators/examiners, there are several tools available to the individual in order to analyze the data. But in this day and age, what if that data is still live on the internet? The goal of this talk is to provide unique skillsets that may take an ongoing investigation one-step further. This will be done by providing open-source websites and frameworks typically used in Open-Source Intelligence (OSINT) to leverage information from case studies where evidence is available via disk image or in the initial stages of an investigation. Sources looked at include: web scraping, automated websites to ensure malware or other tracking services are not located on the site, and people-finder websites.

Whether you’re a corporate investigator of employee misconduct or intellectual property theft, or you respond to incidents as part of a security operations center or managed security services team, be sure to join our panel presentation. Hear from the experts about the trends they’re noticing in corporate environments and the digital forensics industry at large. Find out how to meet challenges using best practices for efficient, cost-effective investigations. Finally, whether you’re advancing through the corporate ranks or transitioning from public to private sector, get insights on how to advance your career in corporate investigations.

2:00PM-3:15PM

Break

2:30PM-4:00PM

Lab

Using GrayKey and AXIOM to Acquire and Parse iOS Data that Other Tools Miss

Magnet Forensics Training Team

Learn about the game-changing GrayKey device and its ability to go beyond backup files to get at file system, process memory, and keychain data. Find out how these capabilities extend across the versions and sub-versions of iOS 10, 11, and 12, and learn how to use a GrayKey device to extract data. Additionally, learn how to use Magnet AXIOM to ingest and process the data, put it together with other data such as what’s available from iCloud, and extend your findings with exclusive-to-AXIOM capabilities such as the Dynamic App Finder, SQLite viewers, and Plist viewers.

Forensics in the Corporate Cloud: How to Conduct Office 365 and Google Suite Investigations

Magnet Forensics Training Team

As enterprises of all sizes continue to shift data into cloud-based content storage and collaboration platforms, the evidence of all kinds of threats both internal and external lives less on hard drives or smartphones, and more on cloud servers. In this lab, learn how to use AXIOM Cloud to recover forensically sound content, metadata, and audit logs using administrative credentials from Microsoft® Office® 365 and Google Suite services. In addition, learn how to use Connections in AXIOM to tie cloud artifacts to computers and smartphones to see the full picture, demonstrate intent, and construct robust timelines for a complete story.

This certification will authenticate your expertise and competence using Magnet AXIOM for your digital forensics investigations. The test will consist of 45 questions that are a mix of theory and practical questions. There is an 80-minute time limit and a passing score is 80% or higher. Computers will be provided.

3:15PM-4:15PM

Magnet Forensics has been — and continues to be — a leader in the community in combatting online child sexual exploitation (CSE). By adopting the Project VIC data standard, police can import and export hashes from any of the Project VIC databases: USA, Canada, Australia, or the UK (CAID). The adoption of Project VIC in Magnet AXIOM enables the police to better share data with integrated CSE software products used for classification. Using "Identifiers", CSE investigators can now export usernames, email addresses, and screen names into other Intelligence databases. This collaborative feature enables the police to better investigate their CSE offender and reveal other networked offenders. Lastly, through a partnership with Child Rescue Coalition, AXIOM is now integrated with the Child Protection System (CPS). The presentation will review real world examples of success from this collaboration.

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft's Office 365 cloud environment must be thoroughly researched and re-evaluated since over time the system evolves — new features are introduced and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years' worth of collection of forensics and incident response data in Microsoft's Office 365 and Azure environments. It combines knowledge from more than a hundred Office 365 investigations, primarily centered around Business Email Compromise (BEC) and insider threat cases.